We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heap-buffer-overflow has occurred when running program svgpng in function gray_split_cubic at /3rdparty/plutovg/plutovg-ft-raster.c:889:15
commit d1eec967ec515395cfd669a1bfed8d5a6a119dde (HEAD -> master, origin/master, origin/HEAD) Author: sammycage <sammycageagle@gmail.com> Date: Mon Jan 22 00:48:35 2024 +0100
$ mkdir build $ cd build $ CFLAGS+="-fsanitize=address -fno-omit-frame-pointer -fsanitize-recover=address" cmake -DLUNASVG_BUILD_EXAMPLES=ON ../ $ make -j8 $ ./svg2png ./poc0
================================================================= ==11365==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe7dfac360 at pc 0x55fcd922d1d5 bp 0x7ffe7dfabf10 sp 0x7ffe7dfabf00 WRITE of size 8 at 0x7ffe7dfac360 thread T0 #0 0x55fcd922d1d4 in gray_split_cubic /home/du4t/Desktop/Fuzz/lunasvg/3rdparty/plutovg/plutovg-ft-raster.c:889 #1 0x55fcd922e356 in gray_render_cubic /home/du4t/Desktop/Fuzz/lunasvg/3rdparty/plutovg/plutovg-ft-raster.c:1000 #2 0x55fcd922fe76 in PVG_FT_Outline_Decompose /home/du4t/Desktop/Fuzz/lunasvg/3rdparty/plutovg/plutovg-ft-raster.c:1361 #3 0x55fcd92301fb in gray_convert_glyph_inner /home/du4t/Desktop/Fuzz/lunasvg/3rdparty/plutovg/plutovg-ft-raster.c:1400 #4 0x55fcd9231168 in gray_convert_glyph /home/du4t/Desktop/Fuzz/lunasvg/3rdparty/plutovg/plutovg-ft-raster.c:1507 #5 0x55fcd9232016 in gray_raster_render /home/du4t/Desktop/Fuzz/lunasvg/3rdparty/plutovg/plutovg-ft-raster.c:1608 #6 0x55fcd92321fe in PVG_FT_Raster_Render /home/du4t/Desktop/Fuzz/lunasvg/3rdparty/plutovg/plutovg-ft-raster.c:1620 #7 0x55fcd9227522 in plutovg_rle_rasterize /home/du4t/Desktop/Fuzz/lunasvg/3rdparty/plutovg/plutovg-rle.c:262 #8 0x55fcd921318e in plutovg_fill_preserve /home/du4t/Desktop/Fuzz/lunasvg/3rdparty/plutovg/plutovg.c:461 #9 0x55fcd9212bb3 in plutovg_fill /home/du4t/Desktop/Fuzz/lunasvg/3rdparty/plutovg/plutovg.c:423 #10 0x55fcd91fd709 in lunasvg::Canvas::fill(lunasvg::Path const&, lunasvg::Transform const&, lunasvg::WindRule, lunasvg::BlendMode, double) (/home/du4t/Desktop/Fuzz/lunasvg/reproduce/svg2png+0xf5709) #11 0x55fcd91f253a in lunasvg::FillData::fill(lunasvg::RenderState&, lunasvg::Path const&) const (/home/du4t/Desktop/Fuzz/lunasvg/reproduce/svg2png+0xea53a) #12 0x55fcd91f2ce4 in lunasvg::LayoutShape::render(lunasvg::RenderState&) const (/home/du4t/Desktop/Fuzz/lunasvg/reproduce/svg2png+0xeace4) #13 0x55fcd91f0a07 in lunasvg::LayoutContainer::renderChildren(lunasvg::RenderState&) const (/home/du4t/Desktop/Fuzz/lunasvg/reproduce/svg2png+0xe8a07) #14 0x55fcd91f130a in lunasvg::LayoutSymbol::render(lunasvg::RenderState&) const (/home/du4t/Desktop/Fuzz/lunasvg/reproduce/svg2png+0xe930a) #15 0x55fcd91bcaf2 in lunasvg::Document::render(lunasvg::Bitmap, lunasvg::Matrix const&) const (/home/du4t/Desktop/Fuzz/lunasvg/reproduce/svg2png+0xb4af2) #16 0x55fcd91bcf03 in lunasvg::Document::renderToBitmap(unsigned int, unsigned int, unsigned int) const (/home/du4t/Desktop/Fuzz/lunasvg/reproduce/svg2png+0xb4f03) #17 0x55fcd91ba2cd in main (/home/du4t/Desktop/Fuzz/lunasvg/reproduce/svg2png+0xb22cd) #18 0x7fa7139e4082 in __libc_start_main ../csu/libc-start.c:308 #19 0x55fcd91b411d in _start (/home/du4t/Desktop/Fuzz/lunasvg/reproduce/svg2png+0xac11d) Address 0x7ffe7dfac360 is located in stack of thread T0 at offset 864 in frame #0 0x55fcd922d6d0 in gray_render_cubic /home/du4t/Desktop/Fuzz/lunasvg/3rdparty/plutovg/plutovg-ft-raster.c:915 This frame has 1 object(s): [48, 832) 'bez_stack' (line 916) <== Memory access at offset 864 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /home/du4t/Desktop/Fuzz/lunasvg/3rdparty/plutovg/plutovg-ft-raster.c:889 in gray_split_cubic Shadow bytes around the buggy address: 0x10004fbed810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10004fbed820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10004fbed830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10004fbed840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10004fbed850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x10004fbed860: 00 00 00 00 00 00 00 00 f3 f3 f3 f3[f3]f3 f3 f3 0x10004fbed870: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 0x10004fbed880: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 0x10004fbed890: 00 00 f2 f2 00 00 f2 f2 00 00 f2 f2 00 00 f2 f2 0x10004fbed8a0: 00 00 f2 f2 00 00 f2 f2 00 00 f2 f2 00 00 f2 f2 0x10004fbed8b0: 00 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==11365==ABORTING
https://github.com/Du4t/POC/blob/main/lunasvg/poc0
The text was updated successfully, but these errors were encountered:
No branches or pull requests
Desctiption
heap-buffer-overflow has occurred when running program svgpng in function gray_split_cubic at /3rdparty/plutovg/plutovg-ft-raster.c:889:15
Version
Steps to reproduce
POC
https://github.com/Du4t/POC/blob/main/lunasvg/poc0
The text was updated successfully, but these errors were encountered: